Listen to this Post
Introduction:
The software supply chain has a new nightmare, and its name is GlassWorm. First uncovered in October 2025 by Koi Security researchers Idan Dardikman, Yuval Ronen, and Lotan Sery, this self-propagating worm represents an evolutionary leap in malware design—one that uses invisible Unicode characters to hide malicious code in plain sight, leverages the Solana blockchain for unkillable command-and-control infrastructure, and autonomously spreads through stolen credentials to compromise the entire developer ecosystem. With over 35,800 confirmed installations in its initial wave alone and campaigns continuing to evolve through 2026, GlassWorm has fundamentally redefined what a supply chain attack looks like.
Learning Objectives:
- Understand GlassWorm’s unique attack chain, from invisible Unicode code injection to blockchain-based C2 communication
- Master detection techniques, including PowerShell and Bash scripts to identify compromised extensions
- Implement practical mitigation strategies to secure developer environments against self-propagating supply chain threats
- The Invisible Attack: How Unicode Variation Selectors Hide Malicious Code
GlassWorm’s most sinister innovation is its use of Unicode variation selectors—special characters that are part of the Unicode specification but produce absolutely no visual output in code editors. To a developer performing a manual code inspection, the malicious code simply appears as empty lines or blank space. As one Koi researcher noted, “Let me say that again: the malware is invisible. Not obfuscated. Not hidden in a minified file. Actually invisible to the human eye”.
The attackers insert these invisible characters between lines of functional code, creating what appears to be a “massive gap” that reviewers overlook. To the JavaScript interpreter, however, these characters are executable and active. This technique successfully fooled developers whose accounts were compromised—they reviewed the modified files, saw nothing wrong, and unwittingly approved and distributed the malware to thousands of users.
Detection: Scanning for Invisible Characters
To detect potential GlassWorm infections, security teams can scan for Unicode variation selectors in extension files. On Windows, use PowerShell:
Scan for Unicode variation selectors in VS Code extensions
Get-ChildItem -Path "$env:USERPROFILE.vscode\extensions" -Recurse -Include ".js",".json" | ForEach-Object {
$content = Get-Content $<em>.FullName -Raw
if ($content -match "[\uFE00-\uFE0F]") {
Write-Host "Suspicious Unicode variation selectors found in: $($</em>.FullName)" -ForegroundColor Red
}
}
On Linux/macOS, use grep to detect invisible Unicode characters:
Scan for invisible Unicode characters in extension files
grep -rP "[\x{FE00}-\x{FE0F}]" ~/.vscode/extensions/ --include=".js" --include=".json"
2. Triple-Layer C2: The Unkillable Command Infrastructure
What makes GlassWorm virtually impossible to disrupt is its triple-layer command-and-control architecture. The primary C2 channel leverages the Solana public blockchain: the malware is hardcoded with the attacker’s wallet address and continuously searches the Solana network for transactions from that address. When a transaction is found, the malware extracts a Base64-encoded JSON object containing C2 server URLs.
The attacker-controlled Solana wallet—28PKnu7RzizxBzFPoLp69HLXp9bJL3JFtT2s5QzHsEA2—serves as an immutable dead drop that cannot be taken down by conventional means. The secondary tier connects directly to IP address 217.69.3.218, and the fallback mechanism uses Google Calendar as a backup C2 server. This resilient infrastructure means that even if one channel is disrupted, the malware continues to receive instructions through the others.
Network Detection: Blocking C2 Communication
To block known GlassWorm C2 infrastructure, implement firewall rules. On Windows, run as Administrator:
Block known GlassWorm C2 IP addresses
$C2IPs = @("217.69.3.218", "140.82.52.31", "45.32.151.157", "45.77.60.153")
foreach ($ip in $C2IPs) {
New-1etFirewallRule -DisplayName "Block GlassWorm C2 - $ip" -Direction Outbound -Action Block -RemoteAddress $ip
}
On Linux, use iptables:
Block GlassWorm C2 IPs sudo iptables -A OUTPUT -d 217.69.3.218 -j DROP sudo iptables -A OUTPUT -d 140.82.52.31 -j DROP sudo iptables -A OUTPUT -d 45.32.151.157 -j DROP
Monitor network logs for connections to these indicators and the sinkhole IP 164.92.88.210, which CrowdStrike established during takedown operations.
3. Self-Propagation: The Worm That Feeds on Credentials
GlassWorm’s true worm behavior sets it apart from traditional supply chain compromises. After infecting a system, it harvests NPM tokens, GitHub credentials, Git credentials, and OpenVSX access tokens. These stolen credentials are then automatically used to compromise additional packages and extensions, with each new victim becoming a launch point for further infections.
The malware targets 49 different cryptocurrency wallet extensions, deploys SOCKS proxy servers that turn developer machines into criminal infrastructure, and installs hidden VNC (HVNC) servers for complete remote access via the “ZOMBI” RAT. This creates a self-sustaining infection cycle that spreads exponentially through the developer ecosystem.
Credential Hygiene: Auditing and Rotating Secrets
Organizations should immediately audit and rotate all potentially exposed credentials:
List all npm tokens and their creation dates npm token list Revoke all npm tokens (run for each user) npm token revoke <token-id> List GitHub personal access tokens gh auth status Revoke tokens via GitHub UI or CLI gh auth refresh -s <scopes> --force
For Git credentials, check and clear stored credentials:
On Linux/macOS git config --global --unset credential.helper Clear stored credentials git credential reject On Windows (cmd) git config --global --unset credential.helper Clear Windows Credential Manager entries cmdkey /list | findstr git cmdkey /delete:<target>
- The Zig Evolution: Infecting Every IDE on Your Machine
By April 2026, GlassWorm had evolved yet again. Attackers began using a Zig-compiled native binary hidden inside a fake WakaTime extension (specstudio.code-wakatime-activity-tracker). The extension ships a native binary named `win.node` on Windows or `mac.node` on macOS—Node.js native addons compiled in Zig that load directly into Node’s runtime and execute outside the JavaScript sandbox with full operating system-level access.
The binary’s primary goal is to find every IDE on the system that supports VS Code extensions—including VS Code, VS Code Insiders, VSCodium, Positron, Cursor, and Windsurf. It then downloads a malicious VSIX extension from an attacker-controlled GitHub account and silently installs it into every detected IDE using each editor’s CLI installer. The second-stage extension acts as a dropper that avoids execution on Russian systems, communicates with the Solana blockchain for C2, and ultimately deploys an information-stealing Chrome extension.
Detection: Scanning for Zig Droppers
Check for suspicious native binaries in extension directories:
Windows: Find .node files in extension directories
Get-ChildItem -Path "$env:USERPROFILE.vscode\extensions" -Recurse -Filter ".node" | ForEach-Object {
$sig = [System.BitConverter]::ToString((Get-Content $<em>.FullName -Encoding Byte -TotalCount 4))
if ($sig -eq "7F-45-4C-46") { Write-Host "ELF binary found in extension: $($</em>.FullName)" }
}
Linux/macOS: Find suspicious binaries
find ~/.vscode/extensions -1ame ".node" -exec file {} \; | grep -E "ELF|Mach-O"
5. The Compromised Extensions: Know Your Enemy
The initial October 2025 wave compromised 14 extensions across OpenVSX and the Microsoft Extension Marketplace. Known malicious versions include:
| Extension | Malicious Versions |
|–|-|
| `codejoy.codejoy-vscode-extension` | 1.8.3, 1.8.4 |
| `l-igh-t.vscode-theme-seti-folder` | 1.2.3 |
| `kleinesfilmroellchen.serenity-dsl-syntaxhighlight` | 0.3.2 |
| `JScearcy.rust-doc-viewer` | 4.2.1 |
| `SIRILMP.dark-theme-sm` | 3.11.4 |
| `CodeInKlingon.git-worktree-menu` | 1.0.9, 1.0.91 |
| `cline-ai-main.cline-ai-agent` | 3.1.3 (Microsoft Marketplace) |
Subsequent waves added dozens more, including extensions impersonating Flutter, React, Tailwind, Vim, and Vue tools. The campaign has since evolved to abuse `extensionPack` and `extensionDependencies` features, allowing attackers to publish clean-looking extensions that later update to depend on separate malicious payload extensions.
Automated Detection Script
Use the community-developed GlassWorm detector:
Clone and run the detector (Windows) git clone https://github.com/marcfbe/tool-glassworm-detector.git cd tool-glassworm-detector .\Check-MaliciousExtensions.ps1 -Detailed
Linux/macOS git clone https://github.com/unic/glassworm-detect.git cd glassworm-detect ./glassworm-detect.sh
6. Mitigation: Hardening Your Development Environment
Given the sophistication of GlassWorm, organizations must adopt a defense-in-depth approach:
1. Extension Inventory and Allowlisting
Maintain a strict inventory of all installed VS Code extensions and consider implementing a centralized allowlist. Remove any extensions that are no longer in use—each installed extension extends your attack surface.
2. Disable Auto-Updates or Implement Delay
VS Code extensions auto-update by default, meaning users received malicious versions without any action required. VS Code 1.123 introduced a two-hour automatic update delay to limit supply chain attacks. Consider implementing a `minimumReleaseAge` policy.
3. Audit Installed Extensions
Regularly audit your extensions for abnormal activity such as suspicious network connections, vulnerable dependencies, and strange API usage.
List all installed VS Code extensions with versions code --list-extensions --show-versions
4. Verify Publisher Reputation
Before installing any extension, check for reviews, extension history, and publisher reputation. Be extremely cautious with extensions that have few downloads or recently changed publishers.
5. Network Monitoring
Monitor outbound connections for communication with known C2 infrastructure. Implement egress filtering to prevent unauthorized outbound connections from developer workstations.
- The Broader Threat Landscape: A Pattern of Autonomous Supply Chain Malware
GlassWorm follows Shai Hulud, discovered just one month earlier as the first self-propagating worm in the npm ecosystem. This pattern reveals a troubling trend: attackers have figured out how to make supply chain malware that spreads autonomously through the entire software development ecosystem. The implications are profound—every developer machine is now a potential entry point for a worm that can compromise the entire software supply chain.
By May 2026, GlassWorm had infiltrated more than 400 source code repositories and software utilities across GitHub, npm, and VSCode/OpenVSX. The botnet was eventually disrupted through a coordinated takedown of all four C2 channels by CrowdStrike, Google, and other security firms.
What Undercode Say:
- The invisible threat is real: Unicode variation selectors represent a fundamental blind spot in code review processes. Organizations must implement automated scanning for invisible characters rather than relying on manual inspection.
-
Blockchain C2 is the new normal: Attackers have demonstrated that public blockchains provide immutable, takedown-resistant command infrastructure. Traditional domain-blocking and IP-based defenses are no longer sufficient—security teams must develop new detection strategies.
-
Developer credentials are gold: The self-propagating nature of GlassWorm means that a single compromised credential can lead to widespread infection. Credential rotation and strict access controls are no longer optional.
-
Supply chain security requires proactive measures: The pattern of autonomous supply chain malware—from Shai Hulud to GlassWorm—demands that organizations treat developer environments as critical infrastructure requiring the same security rigor as production systems.
Prediction:
-
+1 The disruption of the GlassWorm botnet in May 2026 demonstrates that coordinated industry collaboration can effectively neutralize even the most resilient threats. This sets a precedent for future takedown operations against blockchain-based C2 infrastructure.
-
-1 The evolution of GlassWorm through four distinct waves in just eight months proves that threat actors are highly adaptive. New variants will continue to emerge, incorporating novel evasion techniques and targeting additional developer tools.
-
-1 The abuse of transitive dependencies through `extensionPack` and `extensionDependencies` creates an attack surface that is difficult to detect and mitigate. This technique is likely to be adopted by other threat actors targeting package ecosystems.
-
+1 VS Code’s implementation of a two-hour auto-update delay and the Eclipse Foundation’s mandatory pre-publish security checks for OpenVSX represent positive steps toward securing the extension ecosystem. These measures will reduce the impact of future supply chain attacks.
-
-1 The success of GlassWorm highlights fundamental vulnerabilities in how developer tools are distributed and updated. Until marketplace security matures significantly, developers remain prime targets for sophisticated supply chain attacks.
▶️ Related Video (86% Match):
https://www.youtube.com/watch?v=0XumkGQFEEk
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Varshu25 Glassworm – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
